Forms Authentication Question

[bill yeager]

Everything is working in my authentication process except
for the fact that I can't retrieve the "UserData" property
from the "FormsAuthenticationTicket".

Write before I do a "RedirectFromLoginPage", I check
the "UserData" property of
the "FormsAuthenticationTicket". It's set to the
value "Admin" (a role for the user) which is what I want.

Here is the code:

strUserName = CType(drOLEDBNicemScheduling.GetValue(1) &
Chr(32) & drOLEDBNicemScheduling.GetValue(2), String)
'Set the authentication ticket
Dim arrRoles(0) As String
arrRoles(0) =
drOLEDBNicemScheduling.GetValue(3)
Dim ticket As New
FormsAuthenticationTicket(1, strUserName, Now, DateAdd
(DateInterval.Minute, 60, Now),
ValidateLogin.PersistantCookie, arrRoles(0))
Dim cookie = New HttpCookie
(FormsAuthentication.FormsCookieName,
FormsAuthentication.Encrypt(ticket))
If ValidateLogin.PersistantCookie Then
Response.Cookies.Add(cookie)
End If
'Create Identity
Dim objIdentity As New
Security.Principal.GenericIdentity(strUserName)
Dim objPrincipal As New
Security.Principal.GenericPrincipal(objIdentity, arrRoles)

FormsAuthentication.RedirectFromLoginPage(strUserN ame,
ValidateLogin.PersistantCookie)

However, once I get in the Global.asax file in
the "Application_AuthenticateRequest" event (fired by the
FormsAuthentication.RedirectFromLoginPage method), I check
the "UserData" property of the ticket and it's an empty
string! All the other properties pertaining to the ticket
are there. I'm setting up the cookie, so the "Userdata"
property should be populated.

Here is the code in the global.asax file:

Sub Application_AuthenticateRequest(ByVal sender As
Object, ByVal e As EventArgs)

If (Not (HttpContext.Current.User Is Nothing)) Then
If
HttpContext.Current.User.Identity.AuthenticationTy pe
= "Forms" Then
If
HttpContext.Current.User.Identity.IsAuthenticated Then
Dim id As FormsIdentity =
HttpContext.Current.User.Identity
Dim ticket As
FormsAuthenticationTicket = id.Ticket
Dim roles(0) As String
roles(0) = ticket.UserData
HttpContext.Current.User = New
System.Security.Principal.GenericPrincipal(id, roles)
End If
End If
End If

End Sub

What am I doing wrong??? I need to be able to identify the
role of the user (they will only have 1 role).

Thanks,

Bill........

[Greg]

I would like to secure an ASP.NET application with Forms
Authentication. Within the web.config file of the
application, I have the following:

<authentication mode="Forms">
<forms
loginUrl="http://localhost/authenticate/login.aspx"
path="/" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

The IIS Security is set to Anonymous Access. When I
attempt to access a page in my web application, I am
redirected to the login page specified in the URL above.
When I enter the username and password, and click login,
I am redirected again to the same login page. I cannot
get past the login page. What am I doing wrong?

[news.tele.dk]

Greg Wrote:

> The IIS Security is set to Anonymous Access. When I
> attempt to access a page in my web application, I am
> redirected to the login page specified in the URL above.
> When I enter the username and password, and click login,
> I am redirected again to the same login page. I cannot
> get past the login page. What am I doing wrong?

Hey

The;
<forms
loginUrl="x"...

Redirect you to a page where u want unauthorized users to go.
If validation mismatch you will get that pages. That is properly why.

You have to add som credential -Tags to your Web.Config, or make validation
correct in your database.

------------
[email]Matrixrevolution@webspeed.dk[/email]
2003-04 /MR

[Tommy Martin]

You need to set the security cookie using either
FormsAuthentication.RedirectFromLoginPage or SetAuthCookie.

Hope this helps.

Tommy

"Greg" <ggb_business@yahoo.com> wrote in message
news:1450901c3c339$4b6861b0$a601280a@phx.gbl...

> I would like to secure an ASP.NET application with Forms
> Authentication. Within the web.config file of the
> application, I have the following:
>
> <authentication mode="Forms">
> <forms
> loginUrl="http://localhost/authenticate/login.aspx"
> path="/" />
> </authentication>
>
> <authorization>
> <deny users="?" />
> </authorization>
>
> The IIS Security is set to Anonymous Access. When I
> attempt to access a page in my web application, I am
> redirected to the login page specified in the URL above.
> When I enter the username and password, and click login,
> I am redirected again to the same login page. I cannot
> get past the login page. What am I doing wrong?

[Greg]

Thanks for the reply. I use the
FormsAuthentication.RedirectFromLoginPage method after I
have validated the user's username and password against
our Active Directory.

>-----Original Message-----
>You need to set the security cookie using either
>FormsAuthentication.RedirectFromLoginPage or

SetAuthCookie.

>
>Hope this helps.
>
>Tommy
>
>"Greg" <ggb_business@yahoo.com> wrote in message
>news:1450901c3c339$4b6861b0$a601280a@phx.gbl...

>> I would like to secure an ASP.NET application with

Forms

>> Authentication. Within the web.config file of the
>> application, I have the following:
>>
>> <authentication mode="Forms">
>> <forms
>> loginUrl="http://localhost/authenticate/login.aspx"
>> path="/" />
>> </authentication>
>>
>> <authorization>
>> <deny users="?" />
>> </authorization>
>>
>> The IIS Security is set to Anonymous Access. When I
>> attempt to access a page in my web application, I am
>> redirected to the login page specified in the URL

above.

>> When I enter the username and password, and click

login,

>> I am redirected again to the same login page. I cannot
>> get past the login page. What am I doing wrong?

>
>
>.
>

[Robert Anon]

I am having the same problem...

I use Forms authentication and everything works fine on my local comp
(win XP) and DID work on the host's server (win 2k)... but I just got
moved to a win 2k3 server and now I get redirected even after being
authenticated (I have the login page show whether or not a user is
authenticated)

*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Robert Anon]

Any ideas???

This is really frustrating as it shows that I am logged in as "user"
with the Authentication Method being FORMS ... Nevertheless, I still
can't access the protected directory

*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Z]

I believe the problem is that your login page is in a folder that is not
accessible by anonymous users. Put the login.aspx page in a public
<authorization ... allow user="*"> folder and protected pages in a separate
folder (that doesn't allow anonymous users. ) Give it shot. It works
here!!! Also, keep in mind that web.config settings flow down the directory
structure until another web.config is found that overrides its settings.

HTH.

"Greg" <ggb_business@yahoo.com> wrote in message
news:1450901c3c339$4b6861b0$a601280a@phx.gbl...

> I would like to secure an ASP.NET application with Forms
> Authentication. Within the web.config file of the
> application, I have the following:
>
> <authentication mode="Forms">
> <forms
> loginUrl="http://localhost/authenticate/login.aspx"
> path="/" />
> </authentication>
>
> <authorization>
> <deny users="?" />
> </authorization>
>
> The IIS Security is set to Anonymous Access. When I
> attempt to access a page in my web application, I am
> redirected to the login page specified in the URL above.
> When I enter the username and password, and click login,
> I am redirected again to the same login page. I cannot
> get past the login page. What am I doing wrong?

[z. f.]

Hi,

i use Forms authentication in my vb.net asp web application
on the login page i set the authentication cookie, and i can see the cookie
is there.
on the Global_AuthenticateRequest
i get the IsNothing(HttpContext.Current.User) = true
why the framework don't recognise my cookie?

the code to put the cookie is:

FormsAuthentication.Initialize()

Dim ticket As FormsAuthenticationTicket = New FormsAuthenticationTicket( _

1, userId, _

DateTime.Now, DateTime.Now.AddMinutes(Session.Timeout), _

False, roles)

Dim hash As String = FormsAuthentication.Encrypt(ticket)

Dim cookie As HttpCookie = New
HttpCookie(FormsAuthentication.FormsCookieName, hash)

' Add the cookie to the list for outgoing response

Page.Response.Cookies.Add(cookie)

[Hernan de Lahitte]

You may use a "safer" approach for building Forms cookies from this sample :
[url]http://weblogs.asp.net/hernandl/archive/2004/08/05/FormsAuthRoles2.aspx[/url]

Notice the first line:

// Get the cookie created by the FormsAuthentication API
// Notice that this cookie will have all the attributes according to
// the ones in the config file setting.
HttpCookie cookie = FormsAuthentication.GetAuthCookie( userId, false );

And the cookie updating code:

// Update the outgoing cookies collection.
Context.Response.Cookies.Set(cookie);

--
Hernan de Lahitte
[url]http://weblogs.asp.net/hernandl[/url]

"z. f." <zigi@info-scopeREMSPAM.co.il> escribi? en el mensaje
news:ehuCXWS1EHA.132@tk2msftngp13.phx.gbl...
Hi,

i use Forms authentication in my vb.net asp web application
on the login page i set the authentication cookie, and i can see the cookie
is there.
on the Global_AuthenticateRequest
i get the IsNothing(HttpContext.Current.User) = true
why the framework don't recognise my cookie?

the code to put the cookie is:

FormsAuthentication.Initialize()

Dim ticket As FormsAuthenticationTicket = New FormsAuthenticationTicket( _

1, userId, _

DateTime.Now, DateTime.Now.AddMinutes(Session.Timeout), _

False, roles)

Dim hash As String = FormsAuthentication.Encrypt(ticket)

Dim cookie As HttpCookie = New
HttpCookie(FormsAuthentication.FormsCookieName, hash)

' Add the cookie to the list for outgoing response

Page.Response.Cookies.Add(cookie)

[z. f.]

is there something wrong with my code?
the same code in a c# web application works correctly, what could i missed here?
i can see that the browser sends the cookie.
i can also see that the login page redirects me after a successfull login to the requested page.
just that my requested page don't get to execute because the framework redirects me back to login page, because it does not recognise the current user.
IsNothing(HttpContext.Current.User) = true
in global_authenticateRequest.
the current.user should get it's instance by the framework using the auth cookie, automatically, is this correct?


"Hernan de Lahitte" <hernan@lagash.com> wrote in message news:egwYtVi1EHA.3540@TK2MSFTNGP10.phx.gbl...
You may use a "safer" approach for building Forms cookies from this sample :
[url]http://weblogs.asp.net/hernandl/archive/2004/08/05/FormsAuthRoles2.aspx[/url]

Notice the first line:

// Get the cookie created by the FormsAuthentication API
// Notice that this cookie will have all the attributes according to
// the ones in the config file setting.
HttpCookie cookie = FormsAuthentication.GetAuthCookie( userId, false );

And the cookie updating code:

// Update the outgoing cookies collection.
Context.Response.Cookies.Set(cookie);

--
Hernan de Lahitte
[url]http://weblogs.asp.net/hernandl[/url]

"z. f." <zigi@info-scopeREMSPAM.co.il> escribi? en el mensaje
news:ehuCXWS1EHA.132@tk2msftngp13.phx.gbl...
Hi,

i use Forms authentication in my vb.net asp web application
on the login page i set the authentication cookie, and i can see the cookie
is there.
on the Global_AuthenticateRequest
i get the IsNothing(HttpContext.Current.User) = true
why the framework don't recognise my cookie?

the code to put the cookie is:

FormsAuthentication.Initialize()

Dim ticket As FormsAuthenticationTicket = New FormsAuthenticationTicket( _

1, userId, _

DateTime.Now, DateTime.Now.AddMinutes(Session.Timeout), _

False, roles)

Dim hash As String = FormsAuthentication.Encrypt(ticket)

Dim cookie As HttpCookie = New
HttpCookie(FormsAuthentication.FormsCookieName, hash)

' Add the cookie to the list for outgoing response

Page.Response.Cookies.Add(cookie)